Scripting Engine problem Bug #55139https://bugs.php.net/bug.php?id=55139
[Not a bug] Cross-site scripting via user input in PHP noticesTue, 05 Jul 2011 15:28:57 +0000Thu, 18 Aug 2011 18:33:15 +0000nbpoole@... [2011-07-05 15:28:57]Scripting Engine problem Security
Reported by nbpoole
Tue, 05 Jul 2011 15:28:57 +0000
PHP: 5.2.17, OS: All
Description:
------------
The "undefined index" notice generated by PHP does not properly sanitize the name
of the index when it is displayed to the user. As a result, it is possible to
mount a cross-site scripting attack using the notice under a limited set of
circumstances. Specifically:
1. error_reporting includes E_NOTICE
2. display_errors is enabled
3. The user has some control over the name of the index.
I have confirmed this issue on 5.2.17 and 5.4SVN-2011-07-05 (snap).
Test script:
---------------
This script generates an "undefined index" notice where the index is derived from user input. I put a copy at http://nealpoole.com/poc/147b9119e818c92f7f74bad71cc12254.php:
<?php
error_reporting(E_ALL);
$array = array();
echo $array[$_GET['index']];
This script generates a "Call to undefined function" error where the function name is derived from user input. I put a copy at http://nealpoole.com/poc/147b9119e818c92f7f74bad71cc12254-2.php:
<?php
error_reporting(E_ALL);
echo $_GET['funct']();
Expected result:
----------------
http://nealpoole.com/poc/147b9119e818c92f7f74bad71cc12254.php?
index=%3Cscript%3Ealert(1)%3C/script%3E
should return
Notice: Undefined index: <script>alert(1)</script> in
/home/smartys/nealpoole.com/poc/147b9119e818c92f7f74bad71cc12254.php on line 4
---
http://nealpoole.com/poc/147b9119e818c92f7f74bad71cc12254-2.php?
funct=%3Cscript%3Ealert%281%29%3C/script%3E
should return
Fatal error: Call to undefined function <script>alert(1)</script>() in
/home/smartys/nealpoole.com/poc/147b9119e818c92f7f74bad71cc12254-2.php on line 4
Actual result:
--------------
http://nealpoole.com/poc/147b9119e818c92f7f74bad71cc12254.php?
index=%3Cscript%3Ealert(1)%3C/script%3E does not escape the index name, allowing
for XSS.
http://nealpoole.com/poc/147b9119e818c92f7f74bad71cc12254-2.php?
funct=%3Cscript%3Ealert%281%29%3C/script%3E properly escapes the function name.
]]>Tue, 05 Jul 2011 15:28:57 +0000https://bugs.php.net/bug.php?id=55139